Ninja Security

Want to stop being being scared of having your site hacked or defaced?

Would you like something as simple to use as a virus scanner for your Joomla!™ Website? If so then you urgently need NinjaSecurity!

NinjaSecurity is a system plugin that monitors the what is called GPC data. Any incoming data is scanned for specially defined patterns, which you can modify as you want and if it detects these patterns, then any attempts will be blocked and the Hacker will then be banned after the attacking attempt.

Warning: You must remain vigilant with your security!
While Ninja Security will protect you from many attack types, there are some security leaks, such as "Remote File Inclusion” attacks, from which no Joomla!™ extension can protect.
However, all forms of "SQL and Code Injection” can be avoided thanks to Ninja Security.

Documentation

Basic Setup

Install the plugin.

Enter the email(s) to which the system alerts shall be sent.

Publish the plugin.

Tips and Advanced Usage

All parameters have tooltips, visible as a speech bubble as you hover its label with your mouse. Unless the effect of a particular parameter is obvious, the tooltips can give good usage hints.

Email

Here you can define the email address, where the system will send the alert messages. You can enter only one address, or in the case that several administrators are responsible for your web site, you can enter a comma separated list.

Exploit Strings

Here you can enter the scan patterns, for which the system will then search all incoming data. Please enter every exploit string on its own line. Note that whitespaces have to be entered as hexadecimal URL code: %20.

Time Window

Here you should enter a period of time in seconds. Once an attack was noticed the system will ban the IP address of the attacker, resulting in an "Access Denied" page. The default value is set to 3600 seconds (three hours). This time window is usually sufficient to make an attacker lose interest and move on to somewhere easier to attack.

Please note that access to your site will be denied completely, includign the administration side. If you want to do some testing then choose a very small time window while doing it, because you will be locked out from your admin panel!

Secure Login

Activate the secure login in order to prevent an attack variant called "Bruteforce Dictionary Attack". With this variant an attacker tries a full list of passwords, hoping that one them will succeed.

WARNING:
Please note that the login will possibly be no longer secure, when you exclude one or more components from the exploit pattern matching. For the case that one of the excluded components is prone to an „SQL Injection”, the attacker will be able to read the 'Login Key' from the database.

Login Key

The 'Login Key' is an identifying indicator, that you are authorized to login to the Admin Panel of this Joomla! installation. This key has to be passed to Joomla's Backend page as part of the URI (Uniform Resource Locator), otherwise access to the login page will be denied.

The following example shows how:

http://example.com/administrator/?loginKey

IP Addresses

Enter here IP addresses and/or complete networks / sub-nets, that will be permanently blocked. IP addresses have to be written in dotted-quad notation (e.g. 1.2.3.4) and IP ranges with network mask (e.g. 1.2.3.4/24).

Advanced Parameter

Unfortunately under certain cirtumstances the exploit pattern matching through NinjaSecurity for the defense of Injection Attacks can cause the blockage of valid content and the temporary ban of users.

Frontend User Groups

The Backend User groups by default are excluded from the exploit pattern matching, because they are supposed to be trustworthy groups.

So configure here which of the Frontend User Groups are supposed to be trustworthy, and if they are to include or exclude from the exploit pattern matching.

Components

Here you can configure components that shall be excluded from the exploit pattern matching. This can be useful when you for instance want to run a comment component such as JComment, where security relevant topics will be discussed by non registered users.

Once a component is excluded from the exploit pattern matching, the Frontend User Groups are no longer considered when sending data to this particular component.

At first enter a number greater than zero at the field Exclude and click the apply button at the toolbar menu. Hereafter the dropdown lists appear and you can define the components, that shall be excluded from exploit pattern matching.

WARNING:
Please note that in that case you urgently have to monitor the Security Advisories for known vulnerabilities in order to temporary include this component to the exploit pattern matching for the emergency case.

Also you should anytime be up to date regarding upgrades or security fixes for you excluded component. Keep your software anytime as actual as possible.

Changelog

Version: 1.0.7
Date: January 2010
State: Bug Fix Release

The component excluder created a wrong, respectively too small component list.

Updated exploit pattern list.

Version: 1.0.6
Date: December 2009
State: Upgrade Release

Added IP / IP range white listing.

Version: 1.0.5
Date: December 2009
State: Bug Fix Release

Added a defined() clause in order to avoid an "Cannot redeclare constant" error.

Fixed WSOD (white screen of death) on IP ban.

Version: 1.0.4
Date: July 2009
State: Bug Fix Release

Added utmcmd= to exclude list by default to prevent people locking themselves out.

Changed default lock out time to 3 minutes (was 3 hours)in case people lock themselves out when testings.

Version: 1.0.3
Date: March 2009
State: Bug Fix Release

Corrected syntax errors and wanings.

Version: 1.0.2
Date: February 2009
State: Bug Fix & Upgrade Release

Added Exclude Strings

Added IP / IP range blacklisting

Changed component excluding parameters to dynamic

Moved assets to the media directory

Version: 1.0.1
Date: January 2009
State: Bug Fix & Upgrade Release

Added Secure AdminPanel Login (inspired by JSecure Authentication)

Added Frontend User Group Control

Added Component Control

Version: 1.0.0
Date: January 2009
State: Initial Release

Scan for exploit patterns on all incoming data

System alerts via email on detected exploits

Configurable time window for banning attackers IPs

Frequently Asked Questions

I Can't Get Into My Joomla Admin Panel. What Do I Do?

Maybe you've just tested your site, or it has recently been attacked from a computer in your internet provider's network, where the attacker had your actual IP address. Now you can't access your site for exactly that time period you configured as the time window.

In that case please disconnect your computer from the internet and open a new connection. Your internet provider will then assign your computer to another IP address and you can access your admin panel again.

I Get a Scary "Access denied" Message When I Log Out Of The Joomla Admin Panel. What Does This Mean?

This is a regular process. On a logout the PHP Session is dropped, where Ninja Security has stored a unique indicator of your authorization, before you logged in.

Thus after logout the indicator does not exist anymore and Ninja Security, as it should be, denies access to the login page.

I'm kicked out of my AdminPanel, no authorization.

When your admin session expires the PHP session is dropped, where Ninja Security has stored a unique indicator of your authorization, before you logged in. Please note that not Ninja Security kicked you out of the admin panel, but Joomla did due to your expired session.

Regularly you would now be redirected to the login page, but due to the non-existent unique indicator NinjaSecurity denies access.

You will now have to use your Login Key in order to login again.

My exploit string doesn't work.

Please note that every exploit string has to be written on its own line.

It's also very important to write whitespace as hexadecimal URL codes. So please don't write union select, but union%20select.